Eric Stewart: Running Off At The Mouth

The Catalyst 6500 is a slut.  By default it will respond to just any old request for a MAC when it hears someone request one for an unusual IP.

Now, I don’t mean to slut-shame the 6500.  It’s a good, durable, capable chassis.  It’s just annoying when its liberal behavior hides strange issues that bite you hard when you move things off of the 6500 onto, say, a 7700.

What The Heck Are You Talking About?

Some LAN 101 here for IPv4 …

When a set of computers on the same LAN segment (VLAN, etc.) are properly configured with the right IP address, netmask, and gateway, if a computer at a given IP wants to talk to a computer on its LAN, it simply sends a broadcast (essentially yells out) that says, “Hey, who is [IP]?  Give me your MAC so that I may converse with you properly!”  This is called an ARP.

If it wants to talk to a computer not covered by the netmask it’s configured with, it goes to the gateway and says, “Hey, you should be able to pass this on to someone who knows how to get to this guy, so send them this data.”

But what if that netmask ends up covering a wider range of computers than are actually on that LAN?  Well, if a computer is so misconfigured, what should happen is that it will ARP for an address not actually on its LAN, and never hear a response.  This would of course result in a call from a desktop support tech to a network admin claiming that the network is broken, which of course would then result in the network admin calling the desktop support tech an idiot …

This is also why network admins prefer DHCP: No grubby human hands getting into the network configuration of a computer and mistyping a critical piece of information.

Enter Proxy ARP

The thing is, you can configure the gateway to say “Yo baby just come to me and I’ll take your information from you and send it where it needs to go.”  The gateway is claiming to be an IP it is not. This is Proxy ARP.  I’ve seen a case of a printer with a statically assigned address for a particular LAN, but a mask and gateway for a different LAN, continue to work simply because of Proxy ARP (or, more accurately, it stopped working because of the absence of Proxy ARP).

It’s a little misleading to say you can configure the gateway to do this, because, while yes, you can, it’s also something that a 6500 will do for VLANs it routes for by default.

Like I said.  The 6500 is a slut.

There’s No Clue This Is Going On Until It’s Not

So, say you decide to upgrade your 6500 with a Nexus 7700.  You’ve been using those 6500s for probably over a decade.  Computers have gone from being regularly statically configured with an IP to hopefully (but not always) converted to DHCP (with reserved leases when need be).

See, the thing is, the Nexus line is a bit more chaste, since (I can’t give the specifics but I’ve been told that) Proxy ARP is considered a security issue, and is off by default on the Nexus line.

Those misconfigured, statically addressed machines suddenly stop working, resulting in some angry phone calls.

Where I’ve Encountered It Otherwise

We have a “phone VPN” – this way you can have a $JOB phone at home, and the data between $JOB and your home is encrypted.  Thing is, it’s not the newest piece of equipment that establishes these tunnels.

This morning as part of the ongoing upgrades I’m performing, I moved the VLAN the public interface of the “phone VPN” was on from a 6500 to a Nexus 7700.  After being told “It’s not working!” I tracked down one or two configuration mistakes or omissions I had made.

“It’s still not working!”

Okay, time to do a little tshark …

“Why the hell is this thing ARPing for Internet addresses!?”

Nothing on the device’s configuration explained the behavior … luckily, you can turn Proxy ARP on for a single VLAN.

Time to go play some BF4.